1. About our Products
Offensive Security offers cybersecurity training and certification products and associated services. These products include pdf books, videos and hands-on labs. These products and related materials may be downloaded or accessed online. Some are bought on a subscription basis and some on a one-time basis. Product users may have access to an online account management page to manage their relationship with us depending on the product that they use.
Certification is granted if the standards required to pass an exam offered by Offensive Security are met. Exams may be proctored via webcam and screen capture. All product users and customers must comply with the Terms. All those who take our exams must comply with the Terms, our Academic Policy, Exam Guides and Proctoring Guidelines.
The following capitalised terms are used in the Terms and have the meanings defined below.
Affiliate means a legal entity that directly or indirectly (a) controls (b) is controlled by or (c) is under common control of another legal entity
Confidential Information means the content of Products, Materials and exams, any information about them that may help a person pass one of our exams, the terms of your Order and other business, financial or technical information in any form which the Recipient should reasonably know is confidential
Customer means a person or entity buying Product
Customer User means a person using Product under a Customer’s account (a) as Customer’s employee (b) as Customer’s contractor (c) in another capacity identified in Customer’s Order
Discloser means the party disclosing Confidential Information
Damage(s) means loss(es), damage(s) or cost(s) arising in any way
Data Privacy Laws means all data protection legislation in force from time to time applicable to the processing of Product User Personal Data including the General Data Protection Regulation ((EU) 2016/679) (GDPR)
Exam Guides means Offensive Security’s requirements and instructions for each of our exams found at https://support.offensive-security.com
Exam Related Materials means exam reports, lab reports, walkthroughs for any of our course or exam labs, video or sound recordings, documents, graphics, tools, dashboards or other materials created by a Product user after access to our Intellectual Property Rights or Confidential Information that may help a person pass one of our exams
FAQs means frequently asked questions found at FAQs
Increase Notice means a notice we give you regarding any increase in the Price you pay will if you buy Products on a subscription basis
Intellectual Property Rights means database rights, design rights, moral rights, patents, trademarks, service marks, trade and service names, copyrights, know-how, trade secrets and similar rights existing anywhere in the world at any time
Materials means video recordings, lab contents, pdf books, data, documents, graphics, tools, dashboards, software, code, other materials and associated media provided by us with Product
Order means our online or other registration or order form that describes the Products we provide you
Payment Method means a valid credit or debit card(s) or other means of payment we accept
Personal Data means the same as it does in GDPR
Price means the amount payable for Products set out in your Order, and as adjusted by any Increase Notice
Processing means the same as it does in GDPR
Product(s) means our free or paid services, products or features (a) as described in your Order or (b) which we otherwise authorise you to use
Product User Personal Data means Personal Data provided to us by or about a Product user
Recipient means the party receiving Confidential Information
Site means www.offensive-security.com, other websites owned by us on which these terms and conditions appear, and subdomains of those sites and content provided through them
Student means an individual registered with us to use a paid Product
Terms means these terms and conditions and any further terms set out in your Order as applicable to you. If there is a conflict between your Order and these terms and conditions, your Order will take precedence
We/our/us means OffSec Services Limited or one of its Affiliates
You/your means Customer, Product user and/or Site visitor depending on the context
If we use the word “including” or similar words before describing any items, such items are examples only and should not be regarded as an exhaustive list.
3. Accepting the Terms
The Terms create a legally binding agreement between you and us and apply every time you buy or use Products, Materials or Site. If you click online to indicate your acceptance of the Terms, make payment based on an Order that references the Terms, or continue to use Products or Site, you have agreed to the Terms.
We do not accept any other terms or conditions that you attempt to impose on us including those associated with any purchase order you issue. Such other terms and conditions will not apply to your Order.
You must ensure that any of your Affiliates or Customers Users that access Products you have bought from us comply with the Terms.
4. Registering with us
When you register with us to use Products you:
- Must be 18 years old or over
- Are subject to our standard Product user registration requirements
- May not be accepted as a Product user in our sole discretion
- Must provide accurate and complete information and then keep it up to date.
5. Taking Our Exams
If you breach our Academic Policy we may, in our sole discretion:
- Revoke all existing certification(s) you have obtained from us
- Disqualify you for life from all of our courses and exam(s)
- Disqualify you for life from buying our Products
6. Paying for Products
You must pay the Price on the billing date and at the billing frequency mentioned in your Order.
We will charge you the Price on (a) each renewal of your subscription period or (b) at the billing frequency stated in your Order (if different) when you buy Products on a subscription basis.
You must tell us of any dispute over the Price within 15 days of the date of our invoice or your last billing date. Overdue amounts will incur interest at a rate of 1.5% per month or the maximum rate permitted by law (whichever is less) except for amounts disputed in good faith.
The Price excludes applicable taxes. If you must deduct withholding tax from the Price, you must pay us an amount that ensures our net receipt is the same as it would have been were the payment not subject to such withholding.
7. Paying for Subscriptions
You must provide us with a Payment Method if you buy Products on a subscription basis unless we state otherwise in your Order. We can charge the Price to any Payment Method associated with your account.
We may suspend your access to Product until we have been able to charge your Payment Method for all amounts due. You are responsible for any (a) uncollected amounts (b) all fees or charges made by the Payment Method issuer.
You can update your Payment Method by going to your online account management page. We may also update your Payment Method using information provided by your payment service providers. We can continue to charge the applicable Payment Method(s) following any such update.
We use third parties to process payments. Your payment information, Payment Method and other Personal Data will be passed to such third parties.
8. Adjusting Subscription Prices
We may increase the Price by providing you with an Increase Notice at any time if you buy Products on a subscription basis. Any increase will apply from the next renewal of your subscription period occurring 30 days or more after the date of the Increase Notice.
9. Using Products
We license you to use Site, Products and Materials for your own personal use in accordance with the Terms.
You must make sure (a) you have the knowledge, expertise, equipment and facilities needed to use Products (as posted on Site from time to time) (b) Products are suitable for your purpose.
You must start using a Product within any specific time period we specify and we are under no obligation to extend that period.
In relation to Products, Materials and Site, you must not (a) remove or hide proprietary notices (b) remove or hide Personal Data we use to identify you as Product user including watermarks on the pdf books and videos you download (c) perform any attack, scan, test, probe or penetration other than as specifically permitted by us in our course or exam materials (e) perform other actions that may cause damage (f) use data mining, robots or similar data gathering methods (g) harm or interfere with other Product users.
To ensure you comply with the Terms, we will routinely monitor your activity while you are using our Products or taking an exam.
10. Using Interactive Product Features
Some Products may allow interactivity among Product users including instant messaging, chatrooms, blogs, forums, polls or bulletin boards. We do not routinely check interactions among Product users and accept no liability for material posted via these interactive features. We have no obligation to remove these materials but we may do so at our sole discretion.
You must not (a) use abusive, defamatory, illegal or objectionable language (b) send advertising or marketing material (c) infringe others’ privacy, confidentiality or intellectual property rights when using interactive Product features.
11. Responsibility for Customer Users
If you are a Customer purchasing Products for your Customer Users:
- As Customer, you are permitted to use Products and associated Materials for your own internal business purposes in accordance with the Terms
- As Customer, you may only allow your Customer Users to use Products and Materials
- As Customer, you must ensure Products and Materials are not shared between your Customer Users
- We can communicate directly with your Customer Users in relation to our products and services.
12. IP Ownership
All Intellectual Property Rights in Site, Products and Materials are owned by us. You have no rights in Site, Products or Materials except as stated in the Terms. We own and will continue to own the media by which Products and Materials are provided to you. You cannot use our name, logos, trademarks or any derivatives.
You must not copy, share, sub-license, change, create derivative works from, or in any other way misuse any part of Site, Products or Materials.
This includes not (a) sharing all or part of our course materials with any third party including by posting on any platform, repository or on social media (b) video recording your screen while it interacts with any of our labs (c) using our course materials to assist any person to pass one of our exams including sharing lab walk throughs, exam walk throughs (d) accessing Site, Products or Materials for competitive purposes.
If you share or publish Exam Related Materials in breach of the Terms, on the date of such breach, you automatically assign to us all Intellectual Property Rights in such Exam Related Materials together with all rights in respect of any infringement.
We collect and use (a) information related to your use of Products (b) your feedback on Products. We may use that feedback freely and without compensation to you and we will own all Intellectual Property Rights in derivative works we create based on that feedback.
13. Keeping Products Secure
Access to Products and Materials is subject to password and other security credentials we provide. We can change such passwords and other security credentials on notice. They must not be shared.
You must (a) put in place appropriate security measures to prevent unauthorised access to or disclosure of Products or Materials. Those measures must be consistent with standards reasonably expected of an information security professional (b) promptly cure and tell us about any unauthorised access or disclosure of Products or Materials when you become aware.
14. Making Changes to Products
We constantly improve our Products to deliver a better experience or better value to our Customers. We reserve the right to change a Product at any time (including changing specifications, delivery media or platform or removing third party owned content). We will not change a Product’s fundamental nature without letting you know.
15. Supporting our Customers
We may provide self-help via various tools and will provide email and/or online access to our support team to help resolve Customer technical and other issues. The FAQs provide more information on the support we provide.
16. Confidential Information
Recipient and its Affiliates must (a) hold Discloser’s Confidential Information in confidence and disclose it to no third party (b) use that Confidential Information solely for Recipient’s provision or use of Products. Recipient must ensure its Affiliates comply with the Terms relating to Confidential Information.
If you are Recipient, you will be in breach of your duties of confidentiality if you disclose:
- Information in your exam report
- Information in your lab report
- Any walk through for any of our course or exam labs
- Vulnerabilities and exploits in the context of any of our course or exam labs
- Any other information that may help a student pass our exams
Sharing or publishing such Exam Related Materials is also a breach of our Academic Policy.
Confidential Information will not include information which (a) is or becomes generally available to the public through no act or omission of Recipient or its Affiliates (b) becomes known to Recipient or its Affiliates through a third party (c) was lawfully in the possession of Recipient or its Affiliates before disclosure by the Discloser (d) is limited to the name and logo of Customer disclosed on Site or in our other promotional material.
If the law compels Recipient to disclose Discloser’s Confidential Information, Recipient must (a) provide prompt notice to Discloser (if legally permissible) (b) limit that disclosure to the extent of the legal requirement. Any disclosed information will remain Confidential Information despite that disclosure.
You and your Affiliates must promptly return, delete or destroy (at our discretion) our Confidential Information if your right to use Product terminates or when asked by us at any time. You can keep copies to the extent required by law and those copies will remain our Confidential Information.
17. Your Data Privacy
We are the Data Controller (as defined in GDPR) of Product User Personal Data. We will process Product User Personal Data in accordance with the duties imposed on us under the Data Privacy Laws and our Privacy Notice from time to time.
In order for us to keep a public register of the status of our certificate holders, we reserve the right to publish Student information. This information includes (a) Student name (b) Student Offensive Security Identification Number (OSID) (c) course taken by Student (d) exam passed by Student (e) certificate issuance and cancellation status and information. We can also provide such information to any third party who has paid for you to access Products.
If you are a Customer User using Products via a Customer’s account (a) any account you create will be subject to control by Customer and Customer’s admins (b) your account information and other Personal Data will be shared with Customer and Customer’s admins (c) your Personal Data may also be visible to other Product users in Customer’s account.
If the domain of the email address associated with your account is owned by a Customer and Customer wishes to add that email address to its account, the Personal Data concerning your existing account may become accessible to that Customer.
18. Our Liability to Each Other
You must indemnify us against any Damages we suffer or incur if you breach any of the Terms. We may also, in our sole discretion:
- Revoke all existing certification(s) you have obtained from us
- Disqualify you for life from all of our courses and exam(s)
- Disqualify you for life from buying our Products
Our total liability to each other for Damages in connection with the Terms, Products or Materials will not exceed the amount paid by you for the Product giving rise to the claim during the 12 months immediately preceding the date the claim arose.
We have no liability to you if you are a Site visitor or user of our free Products only.
Neither of us will be liable for (a) indirect, incidental, punitive, special or consequential Damages (b) loss of profits (except regarding non-payment of the Price) even if that Damage or loss could have been foreseen or prevented.
The limits on liability in the Terms do not apply to (a) fraud, fraudulent misrepresentation, gross negligence or wilful misconduct (b) negligence causing death or personal injury (c) indemnification obligations (d) a party’s infringement of the other’s Intellectual Property Rights (d) breaches relating to Confidential Information (e) your liability to pay the Price. Nothing in the Terms limits liability that cannot be limited by law.
19. What We Are Not Responsible for
Exercises contained in our labs should only be attempted inside our hosted lab environment which is segregated from the internet. Attempting these exercises in a live environment would be illegal without permission of the system owner. We do not authorize you to perform these exercises outside our lab environment. You must indemnify us against Damage we suffer or incur if you do so.
If we provide you with links to other websites or services, accessing those links is at your sole discretion and risk. We do not review, endorse and are not responsible for such websites or services.
We exclude all warranties, conditions and other terms implied by law to the maximum extent allowed by law. We provide Site, Products and Materials “as is” without warranty of any kind. We do not warrant that Site, Products or Materials (a) will be free of interruptions, delays, omissions, inaccuracies or errors or that any such thing will be corrected (b) will be available at any particular time or location (c) are free of viruses, worms, Trojan horses, email bombs, back doors or other harmful components (although we will implement reasonable measures designed to ensure Site, Products and Materials being are free of such items based on the nature and intended use of Products).
20. Third Party IP Claims
We will indemnify Customer against Damages Customer incurs because of any claim that Product or Materials infringe the Intellectual Property Rights of a third party. This indemnity will not apply if Damages result from (a) the combination of Product or Materials with third party products or services (b) changes to Product or Materials other than by us (c) use of a version of Product or Materials if we have told you to use a later version (d) Customer’s breach of the Terms.
We can cure alleged or anticipated infringements of third-party Intellectual Property Right by (a) procuring the right for Customer to continue to use Product or Materials (b) modifying affected products or Materials so they become non-infringing without reducing performance or functionality (c) replacing affected Products or Materials with non-infringing items without reducing performance or functionality.
Our indemnification duties in this Section are subject to Customer (a) providing us with prompt notice of the claim (b) giving us control of the claim if we ask for it (c) co-operating at our expense in the defence or prosecution of the claim (d) not making any admission or trying to settle any claim without our prior written approval. Customer can participate in the defence of such claims through legal counsel of Customer’s choice and at Customer’s expense.
21. Circumstances Beyond Your or Our Control
Neither party will be liable for Damages arising from failure to perform that party’s obligations due to circumstances beyond that party’s reasonable control. If those circumstances cause material deficiencies in a Product and continue for over 30 days, either party can terminate its obligations for the affected Product on notice to the other party.
22. Complying with the Law
We provide and you must use Products in accordance with applicable laws and regulations.
You must not obtain, keep, use, or provide access to any Product to an Affiliate, Product user or any other third party in a manner that may breach the export control or economic sanctions laws and regulations for any jurisdiction including the United States of America, the United Kingdom and the European Union and its Member States. You warrant that you are not (a) specially designated or sanctioned (b) affiliated with a specially designated or sanctioned person or entity, under any of such laws. You must not involve third parties that are subject to economic sanctions, including by submitting funds to us via sanctioned financial institutions when you deal with us or our Affiliates.
You must not use knowledge or expertise gained from Products in any illegal or unethical manner or to harm any person or entity.
23. Length of Our Relationship
If you are a Site visitor, the applicable Terms will apply for as long as you use our Site.
Otherwise, your agreement with us starts with effect from the date your Order is accepted by us and will stay in force until it is terminated in accordance with the Terms.
If you are entitled to use Product for a specific term, you cannot terminate your obligations during that term.
Your Order or online account management page will state if your Order is on a subscription basis and if so, the subscription period and the billing frequency. On expiry of each subscription period, your subscription will automatically renew for additional periods equal to your original subscription period unless terminated in accordance with the Terms.
24. Suspending or Terminating Our Relationship
We can suspend your rights in relation to Product if (a) we have the right to terminate such rights or (b) to protect our systems or security. Suspension will not affect any of our rights to later terminate your use of Products.
If you buy Products on a subscription basis:
- With a monthly subscription period, you can terminate your Order at any time by using your online account management page and following the instructions for cancellation or by giving us written notice.
- With any other subscription period, either of us can terminate your Order in the way specified in your online account management page or by giving to the other at least 30 days prior written notice to expire with effect from the end of the then current subscription period.
You will continue to have access to Products through to the end of your current subscription period. No refunds of the Price are given if you terminate part way through a subscription period.
Either party can terminate its obligations in relation to Product immediately on notice if the other party materially breaches the Terms and the breach (a) cannot be cured or (b) continues 30 days after the date the breaching party receives notice describing the breach and requiring it to be cured.
We can suspend or terminate your access to free Products, interactive Product features or Site at any time.
If you use Product under a Customer’s account that terminates, your right to use Product will also terminate automatically and without notice.
25. Miscellaneous Terms
Notices of breach of the Terms by us must be given by email to legal @ offensive-security.com attn General Counsel. Other notices to us must be given by email to orders @ offensive-security.com. Notices to you will be given by email to any email address you provided to us in your Order or in your online account management page. Increase Notices may also be given through your online account management page.
Notices given by email to the correct email address will be deemed delivered when sent. Notices given through your online account management page will be deemed delivered when posted.
Survival of Terms
Terminating your rights to use Products will not affect your or our respective accrued rights and duties. The following sections of the Terms will survive termination: 2 (Definitions), 3 (Accepting the Terms) 12 (IP Ownership), 13 (Keeping our Products secure), 16 (Confidential Information), 17 (Your Data Privacy), 18 (Our liability to each other), 19 (What we are not responsible for), 22 (Complying with the law), and 25 (Miscellaneous terms).
The Terms and disputes or claims about the Terms will be governed by the laws of England and Wales. Each of us consents to the non-exclusive jurisdiction of the courts of England and Wales to settle disputes or claims about the Terms.
Nothing in the Terms prevents either of us from seeking an immediate injunction or similar remedy from any court of competent jurisdiction to prevent or restrain breaches of the Terms.
These terms and conditions can be changed by us from time to time and such changes will take effect when posted on Site. Your continued use of Product, Materials or Site constitutes your agreement to such changes.
Without the other party’s prior written consent, neither of us can assign or transfer in any other way any right or duty under the Terms. We can assign the Terms (a) to an Affiliate (b) in connection with our or an Affiliates’ sale of a division, product or service (c) in connection with a reorganization, merger, acquisition or divestiture of us or an Affiliate or any similar business transaction.
If any non-fundamental Terms are illegal or unenforceable, those Terms will be deemed changed to the minimum extent necessary to make them legal and enforceable. Those Terms will be considered deleted if that change is impossible. Any change or deletion will not affect the validity and enforceability of the rest of the Terms.
If either of us delays or fails to exercise any right or remedy under the Terms, such delay or failure shall not constitute a waiver of that right or remedy.
The Terms contain the entire understanding between you and us about Site, Product and Materials and supersede all prior agreements or understandings, verbal or written. Each of us agrees that it has not relied on, and neither of us has any liability for, any representations not expressed in the Terms.
OFFENSIVE Security’s ACADEMIC POLICY – TRY HARDER
At Offensive Security we train our students by developing their mindset. We believe the “Try Harder” mindset is essential to be a successful security professional. We develop this mindset through hands-on labs and exams. We believe that working independently through the exercises and training materials is part of the journey necessary to gain this mindset. To achieve our training goals, we do not provide our students with hints or answers. Instead we expect them to ask targeted and researched questions and work independently through repeated trial and error to find solutions to the various challenges in our training and exams. With these goals and spirit in mind, our Academic Policy describes the actions and behaviors expected of our students.
In this Academic Policy the phrase “Course Materials” means Offensive Security’s (a) course books and videos (b) course and exam lab machines and associated content (c) exam and lab report templates (d) any other non-public material Offensive Security supplies to its students.
While in our labs, preparing for or taking our exams and at all times after:
- You must:
- Put in place appropriate physical and technical security measures to prevent unauthorised access to or disclosure of our Course Materials consistent with standards reasonably expected of an information security professional
- Promptly cure and tell us about any unauthorised access or disclosure when you become aware
- You must not sell or make available Course Materials to anyone else – Course Materials are for your personal use only
- You must only use Course Materials that are provided to you by Offensive Security
- You must not have someone else take an exam for you and you must not take an exam for someone else
- You must not ask for assistance from anyone during an exam. You also must not provide assistance to anyone who is taking an exam.
- You must not video record your screen while it is interacting with any of our Course Materials. However, you may take screenshots and copy data to the extent needed for your exam or lab report.
- Any information related to our course or exam machines is considered strictly confidential and you must not share it with anyone. This includes:
- Your exam report
- Your lab report
- Any walk through for any course or exam machine
- Vulnerabilities and exploits in the context of any course or exam machine
- Any other information that may help a student pass the exam
If such information has been shared by somebody else in breach of this Academic Policy, you must not use it to help you pass your exam
- You must not misrepresent your identity or provide false statements to gain accommodations during the course or exam
- You must not participate in any other conduct that might compromise the integrity or confidentiality of our exams
- You must not use any knowledge or skills gained from any of Offensive Security’s courses in an illegal, unethical manner, or to harm any person or entity
If you violate this Academic Policy:
To ensure the confidentiality and integrity of our exams and training materials, we have a very strict posture regarding any breach of our Academic Policy. In our sole discretion, we will take the following actions against violators of our Academic Policy:
- We will revoke all existing Offensive Security certification(s) you have obtained
- We will disqualify you for life from any Offensive Security courses and exams
- We will disqualify you for life from making future Offensive Security purchases
Your certification status may be disclosed to enquiring parties.
Last Updated February 5, 2020
This is our Privacy Notice. Please scroll down or click on the headings above to discover more.
We only process your Personal Data if we have a legal basis to do so – this may be consent or another legal basis; we collect only the information necessary to fulfill your relationship with us; we don’t sell it to third parties; and we only use it as this Privacy Notice says we do. We strive to provide a high standard of privacy protection for you. For the full version please continue reading.
Background to this Privacy Notice
The entity responsible for processing your Personal data is OffSec Services Limited, of 5 Secretary’s Lane, Gibraltar along with its affiliates and individual contractors (“Offensive Security”). It provides the products and services as advertised on Offensive Security’s Sites (as defined below) to individual students (“Students”) and customers who are organizations (“Customers”).
This Privacy Notice explains what Personal Data (as defined below) we collect on our Sites, which include offensive-security.com, kali.org, kali.training, and exploit-db.com (“Sites”), and through the offering of our Services to Site visitors, Students and Customers and the provision of services to us by third parties (“Suppliers”).
This Privacy Notice explains how we use and share that Personal Data, and your choices about our data practices. Please read this Privacy Notice before using the Sites.
Other related terms and conditions
What this Privacy Notice does not apply to
This Privacy Notice does not apply to:
- Personal Data we hold about our employees or consultants isn’t covered by this Privacy Notice.
- How other organizations use your Personal Data if you link to their Sites, apps, products, services or social media from our Sites, apps or social media. By providing these links we do not imply that we endorse or have reviewed these third party sites. Please contact those sites directly for information on their privacy practices and policies.
- Personal Data you post to the public areas of the Sites or Services. This includes, but is not limited to comments on any Offensive Security blog or public forum. Comments posted to public areas may be viewed, accessed, and used by third parties subject to those parties’ privacy practices and policies.
Accessing your Personal Data
We want to make sure the Personal Data we hold on you is up to date and relevant. You are also legally entitled to know what Personal Data we hold on you. If you’d like a copy of some or all of your Personal Data or you think your Personal Data is inaccurate, you can ask us to correct or remove it. Please contact us at privacy @ offensive-security.com.
Please be aware that if you do not want to provide your Personal Data to us or you ask us to delete it, we may no longer be able to provide the Services to you.
Personal Data we collect
When you interact with us, our Sites or Services, we collect Personal Data that, alone or combined with other Personal Data, could identify you (“Personal Data”).
Automatically Collected Data
When you access the Sites or use the Services, the following Personal Data is created and automatically logged in our systems:
- Log data: Information (“log data”) that your browser automatically sends whenever you visit the Offensive Security Sites. Log data includes your Internet Protocol (“IP”) address, browser type and settings, the date and time of your request, and how you interacted with the Sites or Services.
- Device information: Information (“device data”) that includes the device you are using, operating system, settings, unique device identifiers, network information and other device-specific information. The information collected may depend on the device you use and its settings.
- Usage Information: Information (“usage data”) we collect about how you use our Sites and Services, such as the content you view or engage with, the features you use, and the actions you take.
We use various technologies to collect and store information, including cookies, pixel tags, local storage such as browser web storage or application data caches, databases and server logs.
Personal Data You Give Us
When you access the Sites, we may collect additional Personal Data from you through web forms such as names, phone numbers, postal addresses, email addresses, or other Personal Data you provide to us.
When you ask about, sign up for or use the Services, you may voluntarily give us certain Personal Data, including your location, name, company, gender, age range, and contact information. We also may collect from you billing information (i.e., country and credit card details). We may further collect from you a scanned government ID, scanned utility bill(s), scanned bank statement(s), and scanned income statement(s), parent name(s), IDs, and consent letters.
We also collect Personal Data you provide to us when you complete any “free text” boxes in our forms or provide us with any emails (for example, support request or survey submission). In addition, we may collect Personal Data disclosed by you on our blogs and forums and our other areas of the Services to which you can post Personal Data and materials.
Personal Data we create or collect
When you register to use our Services, our systems will generate unique identifiers including your main Offensive Security ID (“OSID”), Purchase ID, Lab ID, Certificate ID, Video ID, system username and password. These identifiers are known as “pseudonymized” personal data and cannot alone identify you but can identify you when combined with other Personal Data we hold.
We may also gather nicknames or handles you operate under in public blogs, forums, chat rooms or other channels.
We keep a record of your purchase history and examination history. We may also keep administrative notes on your file.
Copy of emails between us will be kept in our systems.
As noted under the heading “How we use your Personal Data” we create and keep videos of Students during the proctoring of examinations.
Personal Data We Get From Third Parties
We may receive identification and contact Personal Data about you from our Customers if they are paying for you to use our Services, our Suppliers and business partners if you are working with us on their behalf, data brokers providing non-public lists and publicly available sources like LinkedIn and other directories.
In addition, we may verify your identification using third party service providers who may provide additional identification data to us.
Where we process your Personal Data
We store and process this Personal Data on servers in the United States, Israel and the Philippines, and we use this information for our internal purposes and to provide you with information, support, and Services.
How we use personal data
We use the Personal Data we collect, described above
- To provide Services to you: For our legitimate interests and/or to perform a contact, to authenticate users, provide the Services, process transactions and respond to your requests. For all Site visitors and Students, including visitors and Students within the EU, this use is necessary to provide the Sites to you and perform and enforce the Service(s) contract with you. If we cannot verify a Student’s identity with the basic information we collect, we may request additional Personal Data such as a scanned government ID, scanned utility bill(s), or scanned bank statement(s). We process this data to confirm your identity and to ensure that we can lawfully provide you with our Services (e.g. screening against various “prohibited persons” lists and sanctioned countries). If we are not entirely satisfied with the results, we may use your Personal Data to prevent you from buying Services from us.
For Students under the age of 18, we collect name(s) and IDs of and consent to process your Personal Data and provide you with Services from, the person who has parental responsibility for you.
- To undertake Service-related activities: For our legitimate interests:
- To customize the user experience.
- To better understand how visitors interact with our Sites and ensure that our Sites are presented in the most effective manner for you, and as part of our efforts to keep our Sites, network, and information systems secure.
- To conduct analytics to inform our marketing strategy and enable us to enhance and personalize our communications and the experience we offer to our visitors and Students.
- To communicate with you in connection with the Services you are using. If you ask us to delete your data or to be removed from our marketing lists and we are required to fulfill your request, we will keep basic data to identify you and prevent further unwanted processing.
- Provide your Personal Data to third parties if its necessary for the Services we are providing
- To bill you: For the performance of a contract, for billing. For all Site visitors or Students requesting paid Services, we collect your billing information identified above to process payments using our third-party Vendors and Service Providers referenced below. This applies to all Site visitors and Students, including those within the EU, and this use is necessary for us to perform the Services contract with you. We store and process this Personal Data in addition to providing this information to our third-party Vendors and Service Providers (described below).
- To protect our Intellectual property: For our legitimate interests and/or performance of a contract , to protect our intellectual property. We may use your Personal Data to mark course materials we provide to you so we can monitor and protect our confidential intellectual property if it is published or made available without our permission. Any marking of materials may include the Student’s full name, home address, personal email address, and OSID, in a visible form.
- To enforce our academic policy or Master Terms: For our legitimate interests and/or performing a contract, to terminate or suspend your access to our products or prevent you from placing future orders. We will use your Personal Data to record situations where we believe you have breached our academic policy, have abused our intellectual property rights or otherwise breached the Master Terms you agree to when you register with us. We may use this record to terminate or suspend your access to our Services and prevent you from placing orders with us.
- To proctor your exam: For our legitimate interests and/or performing a contract, for online proctoring of examinations. When an examination is subject to online proctoring, the Student’s webcam and computer screen will be monitored, viewed, recorded, stored, and/or audited to ensure the integrity of the examination, including by Offensive Security’s employees, contractors, proctors, and/or agents. This means that Student and any of Student’s immediate surroundings, and anything else within range of Student’s webcam or viewable on Student’s computer screen, may be monitored, viewed, recorded, stored, and/or audited during and following the examination. The Student’s video feed and screen feed is monitored by Offensive Security proctoring personnel in the Philippines and stored on Offensive Security’s servers in the Philippines.
- To undertake marketing: For our legitimate interests or, where required by law, with your consent, to send you updates and information about our other products and services, upcoming events or other promotions or news by telephone, email or push notification. You may opt out of receiving further marketing emails by following the instructions contained in each promotional email we send you or by contacting us at firstname.lastname@example.org. We will continue to contact you via email regarding the provision of our Services and to respond to your requests.
- To manage Customer relationships: For our legitimate interests and/or performing a contract, if you are an employee or contractor of one of our Customers, we will use your Personal Data to manage our relationship with that Customer including communicating with you about the Services, for billing and for sending you updates and information about our other Services, upcoming events or other promotions or news by telephone, email or push notification. Please see the paragraph above in relation to your right to opt out of future marketing emails.
- To manage Supplier relationships: For our legitimate interests and/or performing a contract, if you are a Supplier or an employee or contractor of one of our Suppliers, we use your Personal Data to manage our relationship with you/that Supplier, for payment and to communicate with you/that Supplier about the products and services you/they are supplying to us.
- To undertake background checking: For our legitimate interests and/or to comply with the law, before we provide you with Services or buy products or services from you or during our business relationship, we’ll use Personal Data you have given us with information we have collected from credit reference agencies or suppliers of “prohibited persons and countries” lists to manage our regulatory, credit or business risk. In our sole discretion, we may refuse to provide or buy services or products to or from you based on the results of our investigations. When credit reference agencies get a search request from us, a ‘footprint’ goes on your file which other organisations might see.
- To collect debts from you: For our legitimate interests and/or performing a contract, if you don’t pay your bills, we might ask a third party to collect what you owe. We’ll give them Personal Data about you (such as your contact details) and your account (the amount of the debt) and may sell the debt to another organisation to allow us to receive the amount due.
- To prevent and detect crime: For our legitimate interests and/or to comply with the law, we’ll use and share your Personal Data to help prevent and detect crime. For example, we might share your Personal Data with government and law-enforcement agencies. We’ll also use it to prevent and detect criminal attacks on our computer network. To do that we use any Personal Data we hold on you to the extent necessary including any CCTV footage and Personal Data we have collected from credit reference agencies or suppliers of “prohibited persons and countries” lists. We use this Personal Data because we have a legitimate interest in preventing and detecting crime.
- To comply with our legal obligations: For our legitimate interests and/or to comply with the law, we’ll share Personal Data where we have to legally share it with another person. That might be when the law says we have to or because of a court order. Above, we have given examples of organisations we might share your Personal Data with e.g. credit reference agencies. When we share your Personal Data with these organisations we do our best to ensure it’s protected, as far as reasonably possible. We also use service providers to process Personal Data on our behalf.
Our legitimate interest in using your Personal Data
We will use your Personal Data for our legitimate interests if we have assessed we have a legitimate business interest in doing so to operate our business.
How do we assess we have a legitimate business interest?
- checked the usage is necessary and there’s no less intrusive way to achieve the same result
- considered whether your interests override our interests
- considered whether you would reasonably expect us to use your Personal Data in this way
- considered whether you would find the usage intrusive or it would cause you harm
- taken extra care to protect the interests of children
- considered safeguards to reduce the impact where possible
- have offered you an opt out where appropriate.
Sharing And Disclosure
We may share your Personal Data and other information with certain third parties in these circumstances:
- Affiliates within the Offensive Security Group: for security, business, operational and administrative support purposes.
- Publication of Personal Data in connection with certifications: When a Student passes an examination and obtains a certification, we may publish certain Personal Data of the Student on a publicly available Site so anyone from the public can confirm the Student obtained the certification(s). We allow the public to search by name or by Offensive Security ID (OSID). We display the Student’s name, OSID, course taken, certificate received and associated dates.
- Your Employer and others: If your employer or another third party has paid us for your training or certification, we may disclose the results of your examination and our observations of your performance and conduct to them.
- Service Providers: To assist us in providing products and services and to operate our business, your Personal Data may be shared with our third-party service providers. These include organizations who provide services in relation to the training we provide, marketing, infrastructure and information-technology, payment processing, logistics and shipping and professional advice.
- Third Party Accreditation: Sometimes, our certifications will be accredited by their parties as equivalent to their own. If you wish to take advantage of such accreditation, we will transfer your Personal Data to such third parties.
- Business Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your Personal Data and other information may be transferred to a successor or affiliate as part of that transaction.
- Legal Requirements: If required to do so by law, applicable regulation or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of Offensive Security, (iii) act in urgent circumstances to protect the personal safety of users of the Sites or the Services, or the public, or (iv) protect Offensive Security against legal liability.
Where we use another organisation to provide services or products to us, we still control and are responsible for your Personal Data and for ensuring there are controls in place to make sure it’s adequately protected.
If we need to transfer your Personal Data to another organisation for processing in countries outside the EEA and not listed as ‘adequate’ by the European Commission, we’ll only do so if we have model clauses or other appropriate safeguards (protection) in place. For transfers between our Affiliates, we rely on model clauses. In relation to our US data centre and our US cloud platform providers, we rely on model clauses. We have a further data center in Israel which is listed as adequate by the European Commission.
We will keep your Personal Data for as long as reasonably necessary for the purposes described in this Privacy Notice, while we have a legitimate business need to do so in connection with your account, or as required by law (e.g., for tax, legal, accounting or other purposes), whichever is the longer.
We do have additional specific data retention policies for certain categories of data.
- Authentication and Parental Consent: For the additional Personal Data collected as part of the authentication process (e., scanned government ID, scanned utility bill(s), or scanned bank statement(s)), we delete this data after 120 days. We also delete limited Personal Data collected as part of the parental consent process (i.e., parental IDs) after 120 days.
- Billing Information: For the Personal Data we collect for billing (e., country, credit card name, credit card number, credit card expiration date, billing address, and credit card CVV), we store this data in encrypted form and do not store the complete credit card number. We delete this data after 1 year from the most recent transaction (payment or refund). This retention policy applies only to the billing information stored by Offensive Security and not to the billing information we provide to our third-party Vendors and Service providers.
- Proctoring Video and Screen Feeds: For any video and screen feeds obtained by Offensive Security during proctoring an examination, we delete this data after 6 months. We may keep it for longer is we suspect you may be in breach our our Academic Policy and your examination attempt is under investigation.
The Personal Data that we collect is stored and processed on servers in the United States, Israel and the Philippines. We take steps to ensure that your Personal Data is protected from unauthorized disclosure.
Cookies are a standard feature of Sites that allow us to store small amounts of data on your computer about your visit to the Site. They are widely used to help make Sites work or work in a better, more efficient way, such as by recognizing you and remembering information that will make your use of the Site more convenient (such as by remembering your preference settings). Cookies also help us to learn which areas of the Site are useful and which areas need improvement, and to track your usage of the Site to provide you with targeted advertisements.
Rights Under European Law
This section provides information on your rights where applicable as a data subject under where applicable as a data subject under European data protection law(for these purposes, European data protection law includes reference that for the EU (and which also includes the European Economic Area countries of Iceland, Liechtenstein and Norway)).
Your Rights. Subject to applicable European law, you have the following rights in relation to your Personal Data:
- Right of access: If you ask us, we will confirm whether we are processing your Personal Data and, if so, provide you with a copy of that Personal Data along with certain other details. If you require additional copies, we may need to charge a reasonable fee.
- Right to rectification: If your Personal Data is inaccurate or incomplete, you may ask that we correct or complete it. If we shared your Personal Data with others, we will tell them about the correction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
- Right to erasure: You may ask us to erase your Personal Data in some circumstances, such as where we no longer need it or you withdraw your consent (where applicable). If we shared your data with others, we will alert them to the need for erasure where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data with so you can contact them directly.
- Right to restrict processing: You may ask us to restrict or ‘block’ the processing of your Personal Data in certain circumstances, such as where you contest the accuracy of the data or object to us processing it (please read below for information on your right to object). We will tell you before we lift any restrictions on processing. If we shared your Personal Data with others, we will tell them about the restriction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
- Right to data portability: You have the right to obtain your Personal Data from us that you consented to give us or that was provided to us in connection with our contract with you. We will give you your Personal Data in a structured, commonly used and machine-readable format. You may reuse it elsewhere.
- Right to object: You may ask us to stop processing your Personal Data, and we will do so:
- If we are relying on a legitimate interest (described under the “How We Use Data” section above) to process your Personal Data — unless we demonstrate compelling legitimate grounds for the processing; or
- If we are processing your Personal Data for direct marketing.
- Rights in relation to automated decision-making and profiling: You have the right to be free from decisions based solely on automated processing of your Personal Data, including profiling, unless this is necessary in relation to a contract between you and us or you provide your explicit consent to this use.
- Right to withdraw consent: If we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time, but this will not affect any processing of your data that has taken place.
- Right to lodge a complaint with a data protection authority: If you have a concern about our privacy practices, including the way we handled your Personal Data, you can report it to the data protection authority authorized to hear those concerns.
You may contact us at privacy @ offensive-security.com to exercise your rights.
Changes to processing
We will notify you of changes to the data processing activities described in this Privacy Notice by updating the Privacy Notice or as otherwise required by law.
For Students under the age of 18, we collect name(s) and IDs of and consent to process your personal data and provide you with Services from, the person who has parental responsibility for you.
If you believe we are processing the Personal Data of a Student under the age of 18 without consent from the person who has parental responsibility for them, please contact us at email@example.com and we will endeavor to delete that Personal Data from our databases.
We try to protect the Personal Data from loss, misuse and unauthorized access, disclosure, alteration, or destruction. However, no method of transmission over the internet is 100% secure.
Changes to our privacy notice
We may change this Privacy Notice at any time and when we do we will post an updated version on this page.
If you want to make a complaint about how we have handled your Personal Data please contact us at firstname.lastname@example.org and we will investigate and report back to you. If you are still not satisfied after our response or believe we are not using your Personal Data in line with the law, you also have the right to complain to a data-protection regulator in Gibraltar this is the Gibraltar Regulatory Authority (www.gra.gi), alternatively see here for details of your local regulator https://edpb.europa.eu/about-edpb/board/members_en
If you have questions about our Privacy Notice or our data practices, please contact us at privacy @ offensive-security.com.